From 88f0ad9bf7c20aeb63d34539be40aa5e1b38952e Mon Sep 17 00:00:00 2001 From: Amy Zwarico Date: Wed, 18 Mar 2020 17:40:59 +0000 Subject: VFN Requirements Security Changes Round 2 VNFRQTS-772, VNFRQTS-773, VNFRQTS-777, VNFRQTS-779, VNFRQTS-780, VNFRQTS-782, VNFRQTS-786, VNFRQTS-788, VNFRQTS-794, VNFRQTS-815, VNFRQTS-816, VNFRQTS-817, VNFRQTS-818, VNFRQTS-819, VNFRQTS-820, VNFRQTS-821, VNFRQTS-822, VNFRQTS-823, VNFRQTS-824, VNFRQTS-825, VFNRQTS-826, VNFRQTS-829, VNFRQTS-837, VNFRQTS-838, VFNRQTS-840, VNFRQTS-841, VNFRQTS-713 Issue-ID: VNFRQTS-772 Signed-off-by: Amy Zwarico Change-Id: I458c54682d592f050142aab823583916002d7859 --- docs/Chapter4/Security.rst | 199 ++++++++++++++++++++++----------------------- 1 file changed, 99 insertions(+), 100 deletions(-) (limited to 'docs/Chapter4/Security.rst') diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index bcec56b..ec89edb 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -105,22 +105,19 @@ the product's lifecycle. perform automated system configuration auditing at configurable time intervals. -.. req:: - :id: R-23882 - :target: VNF - :keyword: SHOULD - :updated: casablanca - - The VNF **SHOULD** provide the capability for the Operator to run security - vulnerability scans of the operating system and all application layers. - .. req:: :id: R-46986 :target: VNF - :keyword: SHOULD + :keyword: MUST + :updated: frankfurt - The VNF **SHOULD** have source code scanned using scanning - tools (e.g., Fortify) and provide reports. + The VNF provider **MUST** follow GSMA vendor practices and SEI CERT Coding + Standards when developing the VNF in order to minimize the risk of + vulnerabilities. See GSMA NESAS Network Equipment Security Assurance Scheme – + Development and Lifecycle Security Requirements Version 1.0 (https://www.gsma.com/ + security/wp-content/uploads/2019/11/FS.16-NESAS-Development-and-Lifecycle-Security- + Requirements-v1.0.pdf) and SEI CERT Coding Standards (https://wiki.sei.cmu.edu/ + confluence/display/seccode/SEI+CERT+Coding+Standards). .. req:: :id: R-99771 @@ -139,29 +136,23 @@ the product's lifecycle. :id: R-19768 :target: VNF :keyword: SHOULD - :updated: casablanca - - The VNF **SHOULD** support network segregation, i.e., separation of OA&M - traffic from signaling and payload traffic, using technologies such as - VPN and VLAN. - -.. req:: - :id: R-40813 - :target: VNF - :keyword: SHOULD - :updated: casablanca + :updated: frankfurt - The VNF **SHOULD** support the use of virtual trusted platform - module. + The VNF **SHOULD** support the separation of (1) signaling and payload traffic + (i.e., customer facing traffic), (2) operations, administration and management + traffic, and (3) internal VNF traffic (i.e., east-west traffic such as storage + access) using technologies such as VPN and VLAN. .. req:: :id: R-56904 :target: VNF :keyword: MUST + :updated: frankfurt The VNF **MUST** interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual - routing and forwarding rules. + routing and forwarding rules. This does not preclude the VNF providing other + interfaces for modifying rules. .. req:: :id: R-69649 @@ -178,9 +169,9 @@ the product's lifecycle. :id: R-62498 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** support encrypted access protocols, e.g., TLS, + The VNF **MUST** support only encrypted access protocols, e.g., TLS, SSH, SFTP. .. req:: @@ -211,11 +202,9 @@ the product's lifecycle. :id: R-19082 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** allow the Operator to disable or remove any security - testing tools or programs included in the VNF, e.g., password cracker, - port scanner. + The VNF **MUST** not contain undocumented functionality. .. req:: :id: R-21819 @@ -231,10 +220,9 @@ the product's lifecycle. :id: R-86261 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** support the ability to prohibit remote access to the VNF - via a host based security mechanism. + The VNF **MUST** be able to authenticate and authorize all remote access. .. req:: :id: R-638682 @@ -294,26 +282,38 @@ the product's lifecycle. encrypted protocol such as SSH or TLS. .. req:: - :id: R-343842 + :id: R-842258 :target: VNF :keyword: MUST :introduced: casablanca + :updated: frankfurt - The VNF **MUST**, after a successful login at command line or a GUI, - display the last valid login date and time and the number of unsuccessful - attempts since then made with that user's ID. This requirement is only - applicable when the user account is defined locally in the VNF. + The VNF **MUST** include a configuration (e.g. a heat template or CSAR package) + that specifies the targeted parameters (e.g. a limited set of ports) + over which the VNF will communicate; including internal, external and + management communication. .. req:: - :id: R-842258 + :id: R-353637 :target: VNF - :keyword: MUST - :introduced: casablanca + :keyword: SHOULD + :introduced: frankfurt + + Containerized components of VNFs **SHOULD** follow the recommendations for + Container Base Images and Build File Configuration in the latest available version + of the CIS Docker Community Edition Benchmarks to ensure that containerized VNFs + are secure. All non-compliances with the benchmarks MUST be documented. + +.. req:: + :id: R-381623 + :target: VNF + :keyword: SHOULD + :introduced: frankfurt - The VNF **MUST** include a configuration, e.g., a heat template or CSAR - package, that specifies the targetted parameters, e.g. a limited set of - ports, over which the VNF will communicate (including internal, external - and management communication). + Containerized components of VNFs **SHOULD** execute in a Docker run-time environment + that follows the Container Runtime Configuration in the latest available version + of the CIS Docker Community Edition Benchmarks to ensure that containerized VNFs + are secure. All non-compliances with the benchmarks MUST be documented. VNF Identity and Access Management Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -338,22 +338,30 @@ Identity and Access Management Requirements :id: R-42874 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** allow the Operator to restrict access based on - the assigned permissions associated with an ID in order to support - Least Privilege (no more privilege than required to perform job - functions). + The VNF **MUST** allow the Operator to restrict access to protected + resources based on the assigned permissions associated with an ID in + order to support Least Privilege (no more privilege than required to + perform job functions). .. req:: - :id: R-71787 + :id: R-358699 :target: VNF :keyword: MUST - :updated: casablanca + :introduced: frankfurt - Each architectural layer of the VNF (eg. operating system, network, - application) **MUST** support access restriction independently of all - other layers so that Segregation of Duties can be implemented. + The VNF **MUST** support at least the following roles: system administrator, + application administrator, network function O&M. + +.. req:: + :id: R-373737 + :target: VNF + :keyword: MUST + :introduced: frankfurt + + The VNF **MUST**, if not integrated with the operator's IAM system, provide + a mechanism for assigning roles and/or permissions to an identity. .. req:: :id: R-59391 @@ -369,25 +377,20 @@ Identity and Access Management Requirements :id: R-86835 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt The VNF **MUST** set the default settings for user access to deny authorization, except for a super user type of account. - When a VNF is added to the network, nothing should be able to use - it until the super user configures the VNF to allow other users - (human and application) have access. .. req:: :id: R-81147 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** support strong authentication, also known as - multifactor authentication, on all protected interfaces exposed by the - VNF for use by human users. Strong authentication uses at least two of the - three different types of authentication factors in order to prove the - claimed identity of a user. + The VNF **MUST**, if not integrated with the Operator’s Identity and + Access Management system, support multifactor authentication on all + protected interfaces exposed by the VNF for use by human users. .. req:: :id: R-39562 @@ -396,15 +399,6 @@ Identity and Access Management Requirements The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. -.. req:: - :id: R-15671 - :target: VNF - :keyword: MUST - :updated: casablanca - - The VNF **MUST** provide access controls that allow the Operator - to restrict access to VNF functions and data to authorized entities. - .. req:: :id: R-75041 :target: VNF @@ -438,87 +432,92 @@ Identity and Access Management Requirements :target: VNF :keyword: MUST :introduced: casablanca + :updated: frankfurt - The VNF MUST not store authentication credentials to itself in clear + The VNF **MUST** not store authentication credentials to itself in clear text or any reversible form and must use salting. .. req:: :id: R-79107 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST**, if not integrated with the Operator's Identity - and Access Management system, support the ability to disable the + The VNF **MUST**, if not integrated with the Operator’s Identity + and Access Management system, support the ability to lock out the userID after a configurable number of consecutive unsuccessful - authentication attempts using the same userID. + authentication attempts using the same userID. The locking mechanism + must be reversible by an administrator and should be reversible after + a configurable time period. .. req:: :id: R-23135 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt The VNF **MUST**, if not integrated with the Operator's identity and - access management system, authenticate all access to protected GUIs, CLIs, - and APIs. + access management system, authenticate all access to protected resources. .. req:: :id: R-78010 :target: VNF :keyword: MUST - :updated: casablanca + :updated: frankfurt - The VNF **MUST** integrate with standard identity and access management - protocols such as LDAP, TACACS+, Windows Integrated Authentication - (Kerberos), SAML federation, or OAuth 2.0. + The VNF **MUST** support LDAP in order to integrate with an external identity + and access manage system. It MAY support other identity and access management + protocols. .. req:: :id: R-814377 :target: VNF :keyword: MUST :introduced: casablanca + :updated: frankfurt The VNF **MUST** have the capability of allowing the Operator to create, - manage, and automatically provision user accounts using an Operator - approved identity lifecycle management tool using a standard protocol, - e.g., NETCONF API. + manage, and automatically provision user accounts using one of the protocols + specified in Chapter 7. .. req:: :id: R-931076 :target: VNF :keyword: MUST - :introduced: casablanca + :introduced: frankfurt The VNF **MUST** support account names that contain at least A-Z, a-z, - 0-9 character sets and be at least 6 characters in length. + and 0-9 character sets and be at least 6 characters in length. .. req:: :id: R-581188 :target: VNF :keyword: MUST NOT :introduced: casablanca + :updated: frankfurt - A failed authentication attempt **MUST NOT** identify the reason for the - failure to the user, only that the authentication failed. + The VNF **MUST NOT** identify the reason for a failed authentication, + only that the authentication failed. .. req:: :id: R-479386 :target: VNF - :keyword: MUST NOT + :keyword: MUST :introduced: casablanca + :updated: frankfurt - The VNF **MUST NOT** display "Welcome" notices or messages that could - be misinterpreted as extending an invitation to unauthorized users. + The VNF **MUST** provide the capability of setting a configurable message + to be displayed after successful login. It MAY provide a list of supported + character sets. .. req:: :id: R-231402 :target: VNF :keyword: MUST :introduced: casablanca + :updated: frankfurt - The VNF **MUST** provide a means for the user to explicitly logout, thus - ending that session for that authenticated user. + The VNF **MUST** provide a means to explicitly logout, thus ending that session. .. req:: :id: R-251639 -- cgit 1.2.3-korg